Center, information rewriting method, and non-transitory storage medium

ABSTRACT

A center, configured to communicate with an OTA master configured to control software updating of an electronic control unit via a first network, includes a processor. The electronic control unit is installed in a vehicle. The processor is configured to store vehicle management information including key information used for authenticating the vehicle, receive an authentication signal from the vehicle via the first network. The authentication signal is signed using a unique key imparted to predetermined equipment installed in the vehicle. The processor is configured to perform authentication of the vehicle based on the vehicle management information and the authentication signal, and when the processor receives the key information from the vehicle, rewrites the vehicle management information stored by the processor based on the key information.

CROSS-REFERENCE TO RELATED APPLICATION

This application claims priority to Japanese Patent Application No.2021-015061 filed on Feb. 2, 2021, incorporated herein by reference inits entirety.

BACKGROUND 1. Technical Field

The present disclosure relates to a center, an information rewritingmethod, and a non-transitory storage medium for controlling softwareupdating of an electronic control unit installed in a vehicle.

2. Description of Related Art

Vehicles have a plurality of electronic control units installed onboard,for controlling operations of the vehicle. An electronic control unitincludes a processor, a temporary storage unit such as random-accessmemory (RAM), and non-volatile memory that is a non-volatile storageunit, such as flash read only memory (ROM). The processor realizescontrol functions of the electronic control unit by executing softwarestored in the non-volatile memory. The software stored in eachelectronic control unit is rewritable. Updating to a newer version ofthe software enables the functions of the electronic control units to beimproved, new vehicle control functions to be added, and so forth.

Over-the-air (OTA) technology is known as a technology for updatingsoftware of electronic control units. In OTA technology, in-vehiclecommunication equipment connected to an in-vehicle network, and acommunication network such as the Internet or the like, are wirelesslyconnected. A device that handles updating processing of the software ofthe vehicle downloads the software from a center having a serverfunction, via wireless communication. Installing the downloaded softwareto the electronic control unit enables updating and addition of softwareof the electronic control unit to be performed. For example, seeJapanese Unexamined Patent Application Publication No. 2004-326689 (JP2004-326689 A).

When carrying out software update processing using this OTA technology,a key held by the vehicle (vehicle-side key) and a key managed by thecenter as a pair for each vehicle (center-side key) are used, andauthentication processing using the key is carried out between thevehicle and the center.

SUMMARY

Of equipment installed in the vehicle, when in-vehicle equipment holdingthe key (vehicle-side key) used for authentication processing, such as adata communication module (DCM), for example, is replaced due tomalfunctioning or the like, the key imparted to the communication modulein advance will also be changed together. However, the center has no wayof knowing about the replacement of the communication module.Accordingly, the center does not recognize the new key imparted inadvance to the communication module after replacement as the legitimatekey associated with the vehicle, and therefore cannot authenticate thevehicle. Thus, there is a problem that software update by OTA cannot beperformed.

The present disclosure provides a center, an information rewritingmethod, and a non-transitory storage medium, capable of authenticating avehicle even when in-vehicle equipment holding a key used forauthentication processing is replaced.

According to a first aspect of the technology according to the presentdisclosure, a center, configured to communicate with an OTA master thatcontrols software updating of an electronic control unit via a firstnetwork, includes a processor. The electronic control unit is installedin a vehicle. The processor is configured to store vehicle managementinformation including key information used for authentication of thevehicle. The processor is configured to receive an authentication signalfrom the vehicle via the first network. The authentication signal issigned using a unique key imparted to predetermined equipment installedin the vehicle. The processor is configured to perform authentication ofthe vehicle based on the vehicle management information and theauthentication signal. The processor is configured to, when theprocessor receives the key information from the vehicle, rewrite thevehicle management information stored by the processor based on the keyinformation.

In the center according to the first aspect of the technology accordingto the present disclosure the processor may be configured to, when theprocessor receives the key information from the vehicle via a secondnetwork, rewrite the vehicle management information stored by theprocessor based on the key information. The second network may bedifferent from the first network.

In the center according to the first aspect of the technology accordingto the present disclosure, the predetermined equipment may be acommunication module configured to mediate communication between thecenter and the OTA master.

In the center according to the first aspect of the technology accordingto the present disclosure, the key information may includeidentification information for identifying the key imparted to thepredetermined equipment and identification information for identifyingthe vehicle in which the predetermined equipment is installed.

In a second aspect of the technology according to the presentdisclosure, the information rewriting method is executed by a computerof a center including a processor and memory. The center is configuredto communicate with an OTA master configured to control softwareupdating of an electronic control unit via a first network. Theelectronic control unit is installed in a vehicle. The informationrewriting method includes storing vehicle management informationincluding key information used for authentication of the vehicle, andreceiving an authentication signal from the vehicle via the firstnetwork. The authentication signal is signed using a unique key impartedto predetermined equipment installed in the vehicle. The informationrewriting method includes performing authentication of the vehicle basedon the vehicle management information and the authentication signal, andrewriting the vehicle management information based on the keyinformation, when the key information is received from the vehicle.

In a third aspect of the technology according to the present disclosure,a non-transitory storage medium stores instructions that are executableby a computer of a center including a processor and memory, and thatcause the computer to perform functions. The center is configured tocommunicate with an OTA master that controls software updating of anelectronic control unit via a first network. The electronic control unitis installed in a vehicle. The functions include storing vehiclemanagement information including key information used for authenticationof the vehicle, and receiving an authentication signal from the vehiclevia the first network. The authentication signal is signed using aunique key imparted to predetermined equipment installed in the vehicle.The functions include performing authentication of the vehicle based onthe vehicle management information and the authentication signal, andrewriting the vehicle management information based on the keyinformation, when the key information is received from the vehicle.

According to the center and so forth of the present disclosure, thevehicle can be authenticated even when the in-vehicle equipment holdingthe key used for authentication processing is replaced.

BRIEF DESCRIPTION OF THE DRAWINGS

Features, advantages, and technical and industrial significance ofexemplary embodiments of the present disclosure will be described belowwith reference to the accompanying drawings, in which like signs denotelike elements, and wherein:

FIG. 1 is a block diagram illustrating an overall configuration of anetwork system including a center according to an embodiment;

FIG. 2 is a block diagram illustrating a schematic configuration of thecenter;

FIG. 3 is a functional block diagram of the center;

FIG. 4 is a diagram showing an example of a key information database;

FIG. 5 is a diagram showing an example of individual vehicle keyinformation;

FIG. 6 is a block diagram illustrating a schematic configuration of anOTA master; and

FIG. 7 is a flowchart of information rewriting processing executed in aprocessing device and the center.

DETAILED DESCRIPTION OF EMBODIMENTS

When in-vehicle equipment holding a key for authentication processing isreplaced in a vehicle, a center according to the present disclosureacquires a key ID imparted to the replaced in-vehicle equipment and anID of the vehicle of which the in-vehicle equipment are replaced, askey-related information, via a network different from a network thatexecutes vehicle authentication. The center then updates the key-relatedinformation for vehicle authentication to the latest contents, based onthe key-related information.

An embodiment of the present disclosure will be described below indetail with reference to the drawings.

Embodiment

Configuration

FIG. 1 is a block diagram illustrating an overall configuration of anetwork system including the center according to the embodiment of thepresent disclosure. The network system illustrated in FIG. 1 is a systemfor updating software of a plurality of electronic control units 40 athrough 40 d installed in a vehicle. The network system is provided witha center 10 that is outside of the vehicle, an in-vehicle network 20constructed inside of the vehicle, and a processing device 80.

1. Center

The center 10 is capable of communicating with a later-described OTAmaster 30 provided to the in-vehicle network 20, via a first network 70.The center 10 is capable of managing software updating of the electroniccontrol units 40 a through 40 d that are connected to the OTA master 30,by performing communication such as vehicle authentication andtransmission of update data of the electronic control units. Further,the center 10 is capable of communication with the processing device 80via a second network 90 that is different from the first network 70. Thecenter 10 manages the vehicle key by performing communication oflater-described key-related information of the vehicle via the secondnetwork 90. The center 10 has functions as a server.

FIG. 2 is a block diagram illustrating a schematic configuration of thecenter 10 in FIG. 1. As shown in FIG. 2, the center 10 includes acentral processing unit (CPU) 11, random-access memory (RAM) 12, astorage device 13, and a communication device 14. The storage device 13is a device including a readable/writable storage medium such as a harddisk drive (HDD) or a solid state drive (SSD). The storage device 13stores programs for executing software update management, informationused for software update management, update data of each electroniccontrol unit, vehicle management information including key informationused for vehicle authentication, and so forth. At the center 10, the CPU11 executes the program read from the storage device 13, using the RAM12 as a work region. Thus, the center 10 executes predeterminedprocessing relating to software updating. The communication device 14 isa device for communicating with the OTA master 30 via the first network70, and communicating with the processing device 80 via the secondnetwork 90.

FIG. 3 is a functional block diagram of the center 10 illustrated inFIG. 2. The center 10 illustrated in FIG. 3 includes a storage unit 16,a communication unit 17, and a control unit 18. The storage unit 16 isrealized by the storage device 13 shown in FIG. 2. The communicationunit 17 and the control unit 18 are realized by the CPU 11 illustratedin FIG. 2 executing a program stored in the storage device 13 using theRAM 12.

The storage unit 16 stores information related to software updateprocessing of one or more electronic control units installed in thevehicle. The storage unit 16 stores update management information andsoftware update data of the electronic control unit as informationrelated to the software update processing. The update managementinformation is information in which information indicating softwareusable by the electronic control units is associated with each vehicleidentification information (vehicle ID) that identifies the vehicle. Acombination of the latest version information of software of each of theelectronic control units is defined as, for example, informationindicating software usable by the electronic control units.

Also, the storage unit 16 stores, in advance, information related to thecenter-side key that is paired with the vehicle-side key issued by apredetermined entity, as a key information database. The predeterminedentity manages the key used to authenticate the vehicle. FIG. 4 shows anexample of the key information database stored in the storage unit 16. Amain unit of the vehicle-side key issued by the predetermined entity issecretly imparted to equipment used for vehicle authenticationprocessing, such as the communication module 50, for example, in advanceat the time of manufacturing the equipment. On the other hand, thecenter 10 is provided with a key ID, which is identification informationfor identifying the main unit of the vehicle-side key, and informationregarding a main unit of the center-side key paired with thevehicle-side key. The example in FIG. 4 shows that the center-side key(main unit) KEY-A is paired with the vehicle-side key identified by keyID aaaa.

Further, the storage unit 16 stores individual vehicle key information.The individual vehicle key information is information in which thevehicle identification information (vehicle ID) for identifying thevehicle and the center-side key are associated. The center-side key isused to verify authentication signals signed with the vehicle-side key.FIG. 5 shows an example of individual vehicle key information stored inthe storage unit 16. The example in FIG. 5 shows that the center-sidekey KEY-A is used to verify authentication signals from the vehicle withthe vehicle ID A. This individual vehicle key information may be managedby being included in other information, such as the aforementionedupdate management information. The individual vehicle key information isappropriately rewritten by communication via the later-described secondnetwork 90.

The communication unit 17 is capable of receiving software updateconfirmation requests from the OTA master 30. An example of an updateconfirmation request is information transmitted from the OTA master 30to the center 10 when the power or the ignition (IGN) of the vehicle isturned on. Update confirmation requests are information for requestingthe center 10 to confirm whether there is update data for the electroniccontrol units. In addition, the communication unit 17 is capable ofreceiving transmission requests (download requests) for distributionpackages from the OTA master 30. Upon receiving a download request for adistribution package, the communication unit 17 transmits thedistribution package to the OTA master 30. The distribution packageincludes software update data generated by the later-described controlunit 18, for the electronic control unit.

When the communication unit 17 receives the update confirmation requestfrom the OTA master 30, the control unit 18 determines whether there issoftware update data for the electronic control units installed in thevehicle identified by the vehicle ID included in the update confirmationrequest, based on the update management information stored in thestorage unit 16. Upon determining that there is software update data forthe electronic control unit, and receiving a download request for thedistribution package from the OTA master 30, the control unit 18generates a distribution package containing the corresponding updatedata stored in the storage unit 16.

2. In-Vehicle Network

The in-vehicle network 20 includes the OTA master 30, the electroniccontrol units 40 a through 40 d, and the communication module 50. TheOTA master 30 and the communication module 50 are connected via a bus 60a. The OTA master 30 and the electronic control units 40 a and 40 b areconnected via a bus 60 b. The OTA master 30 and the electronic controlunits 40 c and 40 d are connected via a bus 60 c.

The OTA master 30 is capable of wirelessly communicating with the center10 via the first network 70 through the communication module 50. The OTAmaster 30 is a device having a function of managing the OTA state,controlling the software update sequence, and performing softwareupdating of the electronic control unit of which software is an objectof updating (hereinafter referred to as “target electronic controlunit”). The OTA master 30 controls the software update of the targetelectronic control unit of the electronic control units 40 a through 40d, based on the update data acquired from the center 10. The OTA master30 may also be referred to as a “central gateway (CGW)”.

FIG. 6 is a block diagram illustrating a schematic configuration of theOTA master 30 in FIG. 1. As illustrated in FIG. 6, the OTA master 30includes a CPU 31, RAM 32, ROM 33, a storage device 34, and acommunication device 36. The CPU 31, the RAM 32, the ROM 33, and thestorage device 34 make up a microcomputer 35. In the OTA master 30, theCPU 31 executes programs read from the ROM 33, using the RAM 32 as awork region. Accordingly, the CPU 31 executes predetermined processingrelated to software updating. The communication device 36 is a devicefor communicating with the communication module 50 and the electroniccontrol units 40 a through 40 d, via the buses 60 a through 60 cillustrated in FIG. 1.

The electronic control units 40 a through 40 d are devices (ECUs) forcontrolling operations of various parts of the vehicle. Although fourelectronic control units 40 a through 40 d are illustrated in FIG. 1,the number of electronic control units is not limited in particular. Adisplay device (human-machine interface (HMI)) for performing varioustypes of display may be connected to the OTA master 30. Examples of thevarious types of display includes a display indicating that there isupdate data during the software update processing of the electroniccontrol units 40 a through 40 d, displaying an agreement request screenprompting a user or administrator of the vehicle to agree to softwareupdating, displaying results of software updating, and so forth. Anautomotive navigation system or the like can be used for the displaydevice. In addition, the number of buses connecting the electroniccontrol unit to the OTA master 30 is not limited in particular. Forexample, the aforementioned display device may be connected to the OTAmaster 30 via a bus other than the buses 60 a through 60 c.

The communication module 50 is a unit having a function of controllingcommunication between the center 10 and the vehicle. The communicationmodule 50 is communication equipment for connecting the in-vehiclenetwork 20 to the center 10. The communication module 50 is wirelesslyconnected to the center 10 via the first network 70. Vehicleauthentication, update data downloading, and so forth, are performed bythe OTA master 30 using a wireless connection. In addition, thecommunication module 50 may be configured to be wirelessly connected tothe processing device 80, in order to provide information regarding thekey held by the vehicle. The key information includes identificationinformation (key ID) that identifies a key 51 uniquely imparted to thecommunication module 50, and identification information (vehicle ID)that identifies the vehicle in which the communication module 50 isinstalled. Note that a configuration may be made in which thecommunication module 50 is included in the OTA master 30.

The processing device 80 is, for example, an information input terminalsuch as a personal computer or the like, installed at a dealer of thevehicle, or the like. The processing device 80 is connected to thecenter 10 via the second network 90 that is different from the firstnetwork 70. The processing device 80 performs communication of theabove-described key information and so forth. Note that the connectionbetween the processing device 80 and the center 10 via the secondnetwork 90 may be made via an original equipment manufacturer (OEM) 100,which is a finished vehicle manufacturer. With this configuration, thekey information can be shared and managed by the center 10 and the OEM100.

Overview of Software Update Processing

The OTA master 30 transmits a software update confirmation request tothe center 10, with the power or ignition (IGN) of the vehicle beingturned on, for example, as a trigger. The update confirmation requestincludes the vehicle ID for identification of the vehicle, and softwareversions for the electronic control units 40 a through 40 d connected tothe in-vehicle network 20. The vehicle ID and the software versions forthe electronic control units 40 a through 40 d are used to determinewhether there is software update data for the electronic control units,by making comparison with the latest software version held by the center10 for each vehicle ID. Further, the OTA master 30 receives anotification indicating whether there is update data from the center 10as a response to the update confirmation request. When there is softwareupdate data for the electronic control units, the OTA master 30transmits a download request for a distribution package to the center10. Thereafter, the OTA master 30 receives the distribution packagetransmitted from the center 10. The distribution package may include, inaddition to the update data, verification data for verifying theauthenticity of the update data, the number of pieces of the updatedata, the order of installation, various types of control information tobe used during software updating, and so forth.

The OTA master 30 determines whether there is software update data forthe electronic control units, based on the response to the receivedupdate confirmation request from the center 10. In addition, the OTAmaster 30 verifies the authenticity of the distribution package receivedfrom the center 10 and stored in the storage device 13. Further, the OTAmaster 30 transfers one or more pieces of update data downloaded in thedistribution package to the target electronic control unit, and causesthe target electronic control unit to install the update data. Afterinstallation is complete, the OTA master 30 instructs the targetelectronic control unit to activate the installed update version of thesoftware.

As acceptance request processing, the OTA master 30 causes the outputdevice to output a notification that acceptance is required for thesoftware update, and a notification prompting input of accepting thesoftware update. A display device that makes notification by display, anaudio output device that makes notification by audio, or the like, canbe used as the output device. For example, when the display device isused as an output device in the acceptance request processing, the OTAmaster 30 causes the display device to display an acceptance requestscreen for requesting acceptance of the software update. The displaydevice is capable of displaying a notification prompting a particularinput operation, such as the user or the administrator pressing anacceptance button when accepting. In addition, in the acceptance requestprocessing, the OTA master 30 is capable of displaying on the displaydevice text, icons, or the like, notifying that there is software updatedata for the electronic control units, displaying on the display devicerestrictions while the software update processing is being executed, andso forth. Upon receiving the input indicating the accepting from theuser or the administrator that the OTA master 30 has accepted, the OTAmaster 30 executes the above installation and activation controlprocessing, and updates the software of the target electronic controlunit.

The software update processing is made up of a download phase, aninstallation phase, and an activation phase. The download phase is aphase in which the OTA master 30 downloads update data from the center10. The installation phase is a phase in which the OTA master 30transfers the downloaded update data to the target electronic controlunit and installs the update data in the storage region of the targetelectronic control unit. The activation phase is a phase in which theupdate version of the software installed by the target electroniccontrol unit is activated.

Downloading is processing in which the OTA master 30 receives the updatedata for updating the software for the electronic control unittransmitted from the center 10 by in the form of a distribution package,and stores the update data in the storage device 13. The download phaseincludes not only execution of downloading, but also includes control ofa series of processing relating to downloading, such as judging whetherdownloading can be executed, verification of the update data, and soforth.

The update data transmitted from the center 10 to the OTA master 30 maycontain any of update software for the electronic control unit,compressed data in which update software has been compressed, anddivided data in which update software or compressed data has beendivided. In addition, the update data may include a number of the targetelectronic control unit (ECU_ID) and a number for identifying thesoftware of the electronic control unit before updating(ECU_Software_ID). The update data is downloaded as the aforementioneddistribution package that contains update data for one or moreelectronic control units.

Installation is processing in which the OTA master 30 writes updatesoftware (an update version program) to the target electronic controlunit, based on the update data downloaded from the center 10. Theinstallation phase includes not only execution of installing, but alsoincludes control of a series of processing relating to installing, suchas judging whether installation can be executed, transfer of the updatedata, verification of the update software, and so forth.

When the update data includes the update software itself, the OTA master30 transfers the update data (update software) to the target electroniccontrol unit in the installation phase. When the update data includescompressed data, difference data, or divided data of the updatesoftware, the OTA master 30 may transfer the update data to the targetelectronic control unit, and the target electronic control unit maygenerate the update software from the update data. Alternatively, theupdate software may be transferred to the target electronic control unitafter the OTA master 30 generates the update software from the updatedata. Now, the update software can be generated by decompressingcompressed data or assembling difference data or divided data.

The update software can be installed by the target electronic controlunit based on an installation request from the OTA master 30.Alternatively, the target electronic control unit that has received theupdate data may autonomously perform installation, without receiving anexplicit instruction from the OTA master 30.

Activation is processing in which the target electronic control unitenables (activates) the installed update software. The activation phaseincludes not only execution of activating, but also includes a series ofcontrol relating to activating, such as judging whether activation canbe executed, verification of execution results, and so forth.

Activation of the update software can be performed by the targetelectronic control unit, based on an activation request from the OTAmaster 30. Alternatively, the target electronic control unit, which hasreceived the update data, may autonomously activate the update softwarefollowing completion of installation, without receiving an explicitinstruction from the OTA master 30.

Note that the software update processing can be performed successivelyor in parallel for each of the electronic control units.

Further, the “software update processing” in the present specificationincludes not only processing of successively performing all of thedownloading, installation, and activation, but also a process ofperforming only a part of the downloading, installation, and activation.

Processing

Next, the processing executed in the network system according to thepresent embodiment will be described further with reference to FIG. 7.FIG. 7 is a flowchart showing procedures of information rewritingprocessing executed by the processing device 80 installed in a vehicledealer or the like and the center 10.

The information rewriting processing shown in FIG. 7 is performed when achange occurs in in-vehicle equipment that has a key used for vehicleauthentication, out of the equipment installed in the vehicle, forexample, such as when the communication module 50 is replaced, or thelike.

Step S701

After replacing the communication module 50, the processing device 80acquires the ID (key ID) of the key imparted to the communication module50 (vehicle-side key). For this acquisition, for example, a worker orthe like in the dealer who has performed the work of replacing thecommunication module 50 may input the ID of the key imparted to thecommunication module 50, newly installed to the vehicle by thereplacement, to the processing device 80. Alternatively, an arrangementmay be made in which the key ID is transmitted from the vehicle to theprocessing device 80 when the power is first turned on after thereplacement. Upon the vehicle-side key ID being acquired, the processingadvances to step S702.

Step S702

The processing device 80 acquires the ID of the vehicle of which thecommunication module 50 has been replaced. For the vehicle ID, a vehicleidentification number (VIN), which is a unique code including a serialnumber for identifying each vehicle, can be used. This acquisition maybe performed by the worker in the dealer or the like, who entered thekey ID in the above step S701, by entering the vehicle ID.Alternatively, an arrangement may be made in which the vehicle ID istransmitted from the vehicle to the processing device 80 when the poweris first turned on after the replacement. Upon the ID of the vehiclebeing acquired, the processing advances to step S703.

Step S703

The processing device 80 transmits the key information including thevehicle side key ID and the vehicle ID that have been acquired to thecenter 10 via the second network 90. Note that the key information mayalso be provided to the OEM 100, which is a finished vehiclemanufacturer, in order to share, manage, and so forth, the informationwith the center 10. When the vehicle-side key ID and the vehicle ID aretransmitted to the center 10, the processing advances to step S704.

Step S704

The center 10 receives the vehicle-side key ID and the vehicle ID fromthe processing device 80, via the second network 90. When the center 10receives the vehicle-side key ID and the vehicle ID, the processingadvances to step S705.

Step S705

The center 10 identifies the center-side key to be paired with thevehicle-side key, based on the vehicle-side key ID received from theprocessing device 80. This identifying can be performed by searching thekey information database using the ID of the vehicle-side key, andextracting the center-side key associated with the ID of thevehicle-side key. When the center-side key to be paired with thevehicle-side key is identified, the processing advances to step S706.

Step S706

The center 10 rewrites the vehicle information managed by the storageunit 16, based on the identified center-side key and the vehicle IDreceived from the processing device 80. Specifically, the center-sidekey for verification that is associated with the vehicle in theindividual vehicle key information shown in FIG. 5, is rewritten andupdated. Thus, the information rewriting processing ends.

Operations and Effects

As described above, when in-vehicle equipment (communication module orthe like) in the vehicle that holds a key used for authenticationprocessing is replaced, the center according to the embodiment of thepresent disclosure acquires the ID of the key imparted to the in-vehicleequipment newly installed to the vehicle by the replacement, and the IDof the vehicle of which the in-vehicle equipment has been replaced, askey-related information, from the processing device via a second networkthat is different from the first network that executes vehicleauthentication.

Thus, updating can be made to the latest contents of the individualvehicle key information in which the center-side key and the vehicle IDare associated, based on the key-related information acquired in advancefrom the processing device, before vehicle authentication via the firstnetwork is performed in the software update processing using OTAtechnology. The center-side key is used to verify authentication signalssigned by the vehicle-side key. Therefore, a situation can becircumvented in which the center cannot authenticate the vehicle withthe new key of the replaced in-vehicle equipment, and update of thesoftware by OTA cannot be performed.

Now, an OEM back-office system that manages key information may be usedas the second network. Security of the key can be ensured by using theOEM back-office system.

Although an embodiment of the technology according to the presentdisclosure has been described above, the present disclosure can beunderstood as being, in addition to a center, an update method executedby a center provided with a processor and memory, a program, acomputer-readable non-transitory storage medium storing the program, andso forth.

The technology according to the present disclosure can be used in anetwork system for updating software of an electronic control unit.

What is claimed is:
 1. A center configured to communicate with an OTAmaster configured to control software updating of an electronic controlunit via a first network, the electronic control unit being installed ina vehicle, the center comprising a processor configured to: storevehicle management information including key information used forauthentication of the vehicle; receive an authentication signal from thevehicle via the first network, the authentication signal being signedusing a unique key imparted to predetermined equipment installed in thevehicle; perform authentication of the vehicle based on the vehiclemanagement information and the authentication signal; and rewrite thevehicle management information stored by the processor based on the keyinformation, when the processor receives the key information from thevehicle.
 2. The center according to claim 1, wherein the processor isconfigured to, when the processor receives the key information from thevehicle via a second network that is different from the first network,rewrite the vehicle management information stored by the processor,based on the key information.
 3. The center according to claim 1,wherein the predetermined equipment is a communication module configuredto mediate communication between the center and the OTA master.
 4. Thecenter according to claim 1, wherein the key information includesidentification information for identifying the key imparted to thepredetermined equipment and identification information for identifyingthe vehicle in which the predetermined equipment is installed.
 5. Aninformation rewriting method executed by a computer of a centerincluding a processor and memory, the center being configured tocommunicate with an OTA master configured to control software updatingof an electronic control unit via a first network, the electroniccontrol unit being installed in a vehicle, the information rewritingmethod comprising: storing vehicle management information including keyinformation used for authentication of the vehicle; receiving anauthentication signal from the vehicle via the first network, theauthentication signal being signed using a unique key imparted topredetermined equipment installed in the vehicle; performingauthentication of the vehicle based on the vehicle managementinformation and the authentication signal; and rewriting the vehiclemanagement information based on the key information, when the keyinformation is received from the vehicle.
 6. A non-transitory storagemedium storing instructions that are executable by a computer of acenter including a processor and memory, and that cause the computer toperform functions, the center being configured to communicate with anOTA master configured to control software updating of an electroniccontrol unit via a first network, the electronic control unit beinginstalled in a vehicle, the functions comprising: storing vehiclemanagement information including key information used for authenticationof the vehicle; receiving an authentication signal from the vehicle viathe first network, the authentication signal being signed using a uniquekey imparted to predetermined equipment installed in the vehicle;performing authentication of the vehicle based on the vehicle managementinformation and the authentication signal; and rewriting the vehiclemanagement information based on the key information, when the keyinformation is received from the vehicle.